December 4, 2008 in Security by Vincent King
… a serious vulnerability has been found in Apple Safari on OS X. “In its default configuration shell commands are execute[d] simply by visting a web site – no user interaction required.” This could be really bad. Attackers can run shell scripts on your computer remotely just by visiting a malicious website.
Full text of the article: http://www.heise.de/english/newsticker/news/69862
Proof of concept from the original discoverer (Michael Lehn): http://www.mathematik.uni-ulm.de/~lehn/mac.html
The problem is due to a feature that is activated by default: Open Safe Files after downloading. A zip file is considered safe and so they will be opened automatically. Subsequently, a shell script with no #! at the beginning of the script will be executed automatically. No user interaction!
[[T_F]]Digital Content Theft Prevention and Tracing, Downloads and Online Property Protectiontracefusion_signature=51fb2caf986303e41363b25887d9266cdfcbd01d45a2c12d30507f3776837b85e42fc22e064a6b6d84e723667145f46039286e665c671a4df4fac3a64a6bf97f1bad9f707be42bfc552b6cc359ed0e879c33c5707519549604ad252b7c1cf1dbfb652f839e74ff66c42dd89a1a4badf601e3e9ede7c6337f61f6f981e7ae314f3e271f48d40204264516a34b0cf1a5f225a3da197ee4bbad81832dce5d014888ef488ee2ea873b4c8a820fbd2c2c4a8d0df1b5f18a38a2674804d6b2fe7d1dffd85f7043d47854c28920ddddf00892b5c447ea194d89e9f770dbe438ccbe222e73a00d09ffcdd2b7357cfcea892b6bfd17a3a8595773b76be0517233a99fa29b61c1ee381a5be60d5e2461c84a218d6b55b8bec9896a7830ea49eafc2fadc3d0119c9173c4acd8621ad27313a42629b1b1273c42fd1d00553d28b73148c536a600ed750e6911b721655cb1e747901c90b3b68bfffeab9fc5ea8f178e8777fb04131cb14a9bac29aa053acd1f7abc99ab4204e13aec578a7f9e69a9038af71af4710e6b377e29f24e93a380122246c3177d1729660928127274d2a6be87158bbd7715644895029543754348c9ceac861582f25aa2f3d0296c88da6812f0d370d534bc0c1d909bfc3d645ff34bd08e1004a854fa0f8b54fa0e5e[[T_F]]
Tags: Default Configuration, Discoverer, Os X, Shell Commands, Shell Script, Shell Scripts, Vulnerability
November 11, 2008 in Techniques by Vincent King
[[T_F]]Digital Content Theft Prevention and Tracing, Downloads and Online Property Protectiontracefusion_signature=51fb2caf986303e41363b25887d9266cdfcbd01d45a2c12d30507f3776837b85e42fc22e064a6b6d84e723667145f46039286e665c671a4df4fac3a64a6bf97f1bad9f707be42bfc552b6cc359ed0e879c33c5707519549604ad252b7c1cf1dbfb652f839e74ff66c42dd89a1a4badf601e3e9ede7c6337f61f6f981e7ae314f3e271f48d40204264516a34b0cf1a5f225a3da197ee4bbad81832dce5d014888ef488ee2ea873b4c8a820fbd2c2c4a8d0df1b5f18a38a2674804d6b2fe7d1dffd85f7043d47854c28920ddddf00892b5c447ea194d89e9f770dbe438ccbe222e73a00d09ffcdd2b7357cfcea892b6bfd17a3a8595773b76be0517233a99fa29b61c1ee381a5be60d5e2461c84a218d6b55b8bec9896a7830ea49eafc2fadc3d0119c9173c4acd8621ad27313a42629b1b1273c42fd1d00553d28b73148c536a600ed750e6911b721655cb1e747901c90b3b68bfffeab9fc5ea8f178e8777fb04131cb14a9bac29aa053acd1f7abc99ab4204e13aec578a7f9e69a9038af71af4710e6b377e29f24e93a380122246c3177d1729660928127274d2a6be87158bbd7715644895029543754348c9ceac861582f25aa2f3d0296c88da6812f0d370d534bc0c1d909bfc3d645ff34bd08e1004a854fa0f8b54fa0e5e[[T_F]]
Tags: User Education
November 11, 2008 in Techniques by Vincent King
[[T_F]]Digital Content Theft Prevention and Tracing, Downloads and Online Property Protectiontracefusion_signature=51fb2caf986303e41363b25887d9266cdfcbd01d45a2c12d30507f3776837b85e42fc22e064a6b6d84e723667145f46039286e665c671a4df4fac3a64a6bf97f1bad9f707be42bfc552b6cc359ed0e879c33c5707519549604ad252b7c1cf1dbfb652f839e74ff66c42dd89a1a4badf601e3e9ede7c6337f61f6f981e7ae314f3e271f48d40204264516a34b0cf1a5f225a3da197ee4bbad81832dce5d014888ef488ee2ea873b4c8a820fbd2c2c4a8d0df1b5f18a38a2674804d6b2fe7d1dffd85f7043d47854c28920ddddf00892b5c447ea194d89e9f770dbe438ccbe222e73a00d09ffcdd2b7357cfcea892b6bfd17a3a8595773b76be0517233a99fa29b61c1ee381a5be60d5e2461c84a218d6b55b8bec9896a7830ea49eafc2fadc3d0119c9173c4acd8621ad27313a42629b1b1273c42fd1d00553d28b73148c536a600ed750e6911b721655cb1e747901c90b3b68bfffeab9fc5ea8f178e8777fb04131cb14a9bac29aa053acd1f7abc99ab4204e13aec578a7f9e69a9038af71af4710e6b377e29f24e93a380122246c3177d1729660928127274d2a6be87158bbd7715644895029543754348c9ceac861582f25aa2f3d0296c88da6812f0d370d534bc0c1d909bfc3d645ff34bd08e1004a854fa0f8b54fa0e5e[[T_F]]
Tags: Social Engineering
